SecurityContextConstraints: update description of the Priority field

[php-coder]

Sync description with reality and documentation.

PTAL @pweil-
CC @simo5

[pweil-]

LGTM. May want to quote "nil" so it is obvious it's a literal value. Otherwise it looks like it should be capitalized to me 😄

[php-coder]

@pweil- Thanks! I've added quotes.

[simo5]

LGTM [test]

[openshift-bot]

Evaluated for origin test up to 56452ce

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/3441/) (Base Commit: 74121fa) (PR Branch Commit: 56452ce)

[php-coder]

Test flake #13536

[php-coder]

@mfojtik And this one too, please :)

[mfojtik]

i guess "nil" is not what you use when you want to set this via api (iow. you don't do "priority": "nil". I would use the word "not set" instead of "nil".

[php-coder]

I've updated it to "An unset value is considered a 0 priority." PTAL

[mfojtik]

@php-coder one comment, /approved

[php-coder]

It failed because of #15579

[php-coder]

/test extended_conformance_install_update

[php-coder]

/retest

[php-coder]

@stevekuznetsov @deads2k This PR modifies API-related files and hence has "needs-api-review" tag but it changes only a comment. What is a procedure for merging such PRs?

[stevekuznetsov]

@php-coder you should probably get a review from someone in @openshift/sig-security since the comments are exposed to end-users

[php-coder]

/test extended_templates

[php-coder]

@openshift/security PTAL

[simo5]

/lgtm

[pweil-]

/approved

[stevekuznetsov]

@Kargakis looks like we need to honor the api-approved label -- don't add the needs-api-review if we have it

[0xmichalis]

@Kargakis looks like we need to honor the api-approved label -- don't add the needs-api-review if we have it

@deads2k already asked for it; we need to move path-label in a prow plugin and make it configurable so that it can choose from a whitelist what labels to add either once or always. Not a high priority.

[0xmichalis]

Meaning we need to sort out cherry-picks and flake detection first.

[php-coder]

@stevekuznetsov @Kargakis Could someone then merge it manually?

[stevekuznetsov]

@php-coder it will merge fine even with the label

[pweil-]

/approve

[php-coder]

@php-coder it will merge fine even with the label

@stevekuznetsov ... but when?

[php-coder]

What if I don't want to wait when @mfojtik came back from his PTO to merge a trivial PR that updates only comments? Is it possible with our infrastructure?

[pweil-]

@php-coder as soon as my name gets added to owners #15712

[0xmichalis]

@stevekuznetsov ... but when?

You miss an approved label. It should be possible to determine it by looking at the "Submit Queue" github status context below ("PR does not have approved label. "). You can also click at the Details button, under the MERGE REQUIREMENTS section you can read:

PRs must meet the following set of conditions to be considered for automatic merging by the submit queue.

    The PR must be mergeable. aka cannot need a rebase
    All of the following github statuses must be green
        ci/openshift-jenkins/verify
        ci/openshift-jenkins/unit
        ci/openshift-jenkins/cmd
        ci/openshift-jenkins/integration
        ci/openshift-jenkins/end_to_end
        ci/openshift-jenkins/extended_conformance_install_update
        ci/openshift-jenkins/extended_conformance_gce
        ci/openshift-jenkins/extended_networking_minimal
        ci/openshift-jenkins/extended_templates
    The PR cannot have any of the following milestones: []
    The PR must have the "lgtm" label
    The PR must not have been updated since the "lgtm" label was applied
    The PR must have the "approved" label
    The PR must not have the "do-not-merge" label


The PR can then be queued to re-test before merge. Once it reaches the top of the queue all of the above conditions must be true but so must the following:

    All of the following tests must pass a second time
        ci/openshift-jenkins/verify
        ci/openshift-jenkins/unit
        ci/openshift-jenkins/cmd
        ci/openshift-jenkins/integration
        ci/openshift-jenkins/end_to_end
        ci/openshift-jenkins/extended_conformance_install_update
        ci/openshift-jenkins/extended_conformance_gce
        ci/openshift-jenkins/extended_networking_minimal
        ci/openshift-jenkins/extended_templates
    Unless the "retest-not-required" or "retest-not-required-docs-only" label is present

And then the PR will be merged!!

Sorry if it may not be obvious enough. We should create a document that aggregates explanations for all of our new CI tools, I think @stevekuznetsov has made a start.

[php-coder]

@Kargakis The behavior that surprised me is that when @pweil- left /approve comment, the bot had done nothing. I'd expect that it should says that Paul doesn't have permissions to approve. AFAIR k8s bots follow this behavior.

[0xmichalis]

@Kargakis The behavior that surprised me is that when @pweil- left /approve comment, the bot had done nothing. I'd expect that it should says that Paul doesn't have permissions to approve. AFAIR k8s bots follow this behavior.

I see the bot added a comment: #15425 (comment)

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: php-coder, pweil-, simo5
We suggest the following additional approver: mfojtik

Assign the PR to them by writing /assign @mfojtik in a comment when ready.

[php-coder]

I see the bot added a comment.

Hm. Thank you for teaching me. Probably, I didn't understand how it works before and thought that approval from one person is enough to have approved label. I see that the rules a bit more complex.

[stevekuznetsov]

You need an approval from one person from each of the directories that it touches. The bot says so in the comment:

Needs approval from an approver in each of these OWNERS Files:
  -  OWNERS

If we changed more than one directory, they would all be listed there. An approval from someone in a top-level dir will approve dirs underneath.

Since this has been LGTMed by @pweil- and @mfojtik I'll /approve

@php-coder please let us know if the UX is not optimal, but also please be sure to read the comments the bot writes. The extra complexity does give us benefits -- requiring LGTM and approval gives a small set of approvers ability to delegate nitty-gritty reviews to reviewers, requiring approval from all the dirs allows us to ensure a code change gets looked at by all the right people, etc.

[stevekuznetsov]

/approve

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: php-coder, pweil-, simo5, stevekuznetsov

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [pweil-,stevekuznetsov]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[openshift-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[openshift-merge-robot]

Automatic merge from submit-queue